Passengers and drivers alike just lately came upon that Uber paid hackers $100,000 to cowl up a knowledge breach that compromised the driver and rider accounts of a minimum of 57 million individuals. We additionally came upon that Uber stored this info secret for greater than a yr. So how dangerous is this knowledge breach and what do you have to do about it? Today, senior RSG contributor Will Preston covers the breach, the way it impacts drivers and riders, and what you need to do at this time to guard your self.
Depending on the place you examine the Uber knowledge leak, mixed with what you already take into consideration Uber’s ethics, chances are you’ll be anyplace from mildly involved to utterly outraged. As an individual who has made most of his dwelling defending different individuals’s knowledge, I’m a lot nearer to the latter than the former. I’ll clarify why I’m so outraged, and give some recommendation on what to do.
Note: You can learn Uber’s official assertion about the hacking incident here.
In October 2016, hackers downloaded knowledge the full names, e mail addresses and telephone numbers of 57M riders, in addition to obtained the driver’s license numbers of 600,000 US drivers. Uber says they “took immediate steps to secure the data, shut down further unauthorized access, and strengthen our data security.”
Multiple outlets have reported that the quick step Uber apparently took was to pay the hackers $134Okay to destroy the knowledge they stole. Additionally, Uber didn’t instantly notify riders or drivers of the hack. “We think this was wrong,” Dara Khosrowshahi, the new CEO of Uber says in a blog post.
No kidding. Not solely was it incorrect, it was additionally unlawful in 48 states to not notify individuals of a knowledge breach. More on that, however first, what does this imply for passengers and drivers?
Is This a Big Deal for Passengers?
While the passenger info obtained appears comparatively minor – because it didn’t include both driver’s license numbers or Social Security numbers – it isn’t minor when you think about how phishing assaults work.
57 million riders can now be despatched an e mail addressed on to the individual concerned, utilizing the identify Uber refers to them by, to be able to try and get their Uber password. And that is precisely what is already occurring, in line with this Twitter user.
This is one in every of the explanation why not reporting it in any respect is the actual drawback right here. Even now that Uber has chosen to report this to the media, they’re telling riders there is nothing to fret about. Nor are they telling any riders in the event that they have been affected by the breach.
Is This a Big Deal for Drivers?
A hacker can undoubtedly do injury to your status utilizing your driver’s license quantity. They can’t open accounts in your identify until they’ve your Social Security quantity and date of delivery, however they will nonetheless do injury.
They may give the driver’s licence quantity to a cop that stops them, or they will create a pretend ID that is utilized in different crimes, corresponding to bouncing dangerous checks in your identify. You might end up underneath indictment for verify kiting with out ever having written a verify.
In addition, the driver’s license is only one extra piece in the puzzle of your life. Hackers might have already got your identify, date of start (DOB), and Social Security quantity from the equifax breach. Tying your driver’s license quantity to that makes the portfolio that a lot stronger and invaluable.
Just like riders, drivers must be on the lookout for phishing scams that use this knowledge breach to attempt and get you to disclose your password. The greatest approach to thwart them now is to right away go change your Uber password. Then you possibly can ignore any messages telling you to take action.
This Was a Direct Violation of Multiple State Laws
As of this writing, 48 states and territories (together with DC, Puerto Rico, and the US Virgin Islands) have enacted legal guidelines requiring notification of safety breaches involving private info. Only Alabama and South Dakota haven’t any such regulation.
By failing to inform these affected – particularly the 600,000 drivers the place drivers license numbers have been stolen – Uber might have truly dedicated a criminal offense in 48 states and territories.
And this was not like the crimes they allegedly dedicated with “Grayball,” the secret program designed to assist Uber drivers evade regulators the place Uber wasn’t precisely authorized. That “crime” had a “Robin Hood” really feel to it, permitting Uber drivers (the Robin Hoods) to offer clients a superior, cheaper service than taxis, whereas evading the authorities (the Sheriff of Nottingham).
No such spin is potential right here. The solely factor Uber was defending by not going public with this breach was Uber’s personal fame. Unfortunately, this announcement will doubtless do extra injury to their popularity than the unique one would have.
Blatant Disregard for the Safety of Customer and Driver Information
Even if there weren’t 48 state legal guidelines that require speedy notification of such breaches, the undeniable fact that Uber wouldn’t notify its clients and drivers of a knowledge breach exhibits blatant disregard for the security of their info. The new CEO, Dara Khosrowshahi, says that everybody who was liable for this has left the firm. But the setting during which these individuals flourished is nonetheless there. He has a whole lot of work to do to wash up the tradition of the firm.
It Shows an Alarming Naivete About Data Leaks and Hackers
Multiple reviews point out that Uber’s response was to pay the hackers $134Okay to “destroy the data.” Khosrowshahi’s weblog publish stated that they “subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.” First, this falls underneath the auspices of by no means negotiating with terrorists, as a result of it solely emboldens them. Hackers now know that they will extort cash out of Uber in the event that they steal its knowledge.
Second, knowledge is not like a automotive. You can’t simply give it again, nor are you able to rely on a hacker to destroy stated knowledge. Whatever assurances Uber was given got by criminals. Once knowledge is stolen, you need to assume it is in all places. The Internet by no means forgets. Just ask any of the celebrities whose nude pictures ended up on-line.
What Should You Do?
I haven’t gotten a single e-mail from Uber about the hack or seen any sort of in app notifications. There are some things you’ll be able to and ought to do to answer this breach. You may discover a few of them unusual, however this is the world we’re in.
Tell Uber you need to be notified
If you need to discover out for those who’ve been hacked, you can go to this page about the incident and ‘opt in’.
Unfortunately, this doesn’t instantly notify you in case you have been hacked. It merely tells Uber that you simply need to be notified for those who’ve been hacked. Hey Uber! We all need to know if we’ve been hacked! I’m shaking my head on this one.
I did obtain an e-mail from Uber help the subsequent day telling me my driver’s license was not included in the obtain (however Harry got one that stated he had been hacked)
Immediately change your Uber password, and anyplace else you used it
The commonplace response to such an occasion is to right away change your password to the affected account. I might additionally inform you to allow two-factor authentication, however Uber doesn’t seem to help that but.
You also needs to change the password on any accounts the place you used the similar password you used in your Uber account. That, in fact, brings up one other problem.
Don’t reuse passwords
You ought to by no means use the similar password on a number of accounts. Reusing passwords considerably will increase your dangers if considered one of your accounts is breached. Since the variety of accounts we’ve in the trendy world may be measured in the dozens or a whole lot, the greatest approach to deal with this is to make use of a password supervisor comparable to OneCross or Dashlane. Personally, I exploit Dashlane and like it.
Use good passwords
Learn what makes a superb password and comply with these options. The greatest recommendation I may give you is that longer is higher. An Eight-character password could be guessed by trendy computer systems in about fifteen minutes. Guessing an 11-character password would take 53 years.
Take the free credit score monitoring, however look ahead to caveats
If you’re provided free credit score monitoring from Uber, I’d say take it. There is nothing flawed with monitoring your credit score. It doesn’t harm your credit score to take action, and you may study a couple of issues in the course of.
One factor to be careful for, although. If you’re contemplating suing Uber, verify any settlement for a waiver of rights. The Equifax breach, for instance, additionally provided free credit score monitoring. But should you took them up on it, you waived your proper to sue them. (This waiver has since been eliminated.)
This is the Worst Thing I’ve Ever Seen Uber Do
I’ve taken a number of warmth from some readers for defending Uber over UberPOOL, upfront pricing, and different issues. I used to be all the time capable of see Uber’s aspect of the story. This is not the case with this story.
Uber’s actions right here have been probably felony in virtually each state and territory, and present an enormous disregard for the privateness of buyer knowledge. Even the weblog submit describing the incident makes an attempt to spin it in a means that doesn’t mirror actuality. The irony that this occurred in the midst of the 180 days of change and on the similar actual day they launched Chapter 6 is additionally not misplaced on me.
Readers, do you’ve got any questions on the hack? Make positive to visit this page and inform Uber to let you understand in case your account was compromised.
Make Every Mile Count
Did you understand that each 1,000 enterprise miles can generate $535 in tax deductions? Never miss one other mile with the new QuickBooks Self-Employed automated mileage tracker.
-Will @ RSG
Will Preston is a part-time rideshare driver with over 1,500 rides beneath his belt. He drives in the San Diego market. Like lots of people, Preston has a day job and it is as an IT analyst specializing in backup and restoration.